Barracuda ESG Under Siege by UNC4841 Exploiting Zero-Day Vulnerability

, Barracuda Zero-Day

Amid the ever-evolving battlefield of cybersecurity, a newly-discovered zero-day vulnerability, recognized as CVE-2023-7102, has emerged to challenge the defenses of global information systems. China-based cyber-espionage actors identified as UNC4841 have exploited this flaw in Barracuda’s Email Security Gateway (ESG) appliances with surgical precision. Since November 30, these attackers have cunningly leveraged the vulnerability within the ‘Spreadsheet::ParseExcel’ open source library, a component vital for malware detection in Excel email attachments.

The exploitation process of CVE-2023-7102 is notably insidious. Attackers infuse a perilously crafted Excel file with malicious code and dispatch it as an email attachment. Once the ESG device scans the email, the code detonates autonomously, providing attackers an unrestricted gateway into the victim’s systems, resulting in unauthorized access and potential data exfiltration. The sophistication of this campaign has primarily ensnared government entities, and high-tech and IT organizations in the United States and the Asia-Pacific and Japan (APJ) region.

Mandiant, the frontline cyber intelligence firm, has unmasked the threat actor UNC4841 as the Chinese cyberspy group driving this nefarious campaign—highlighting the international dimensions of cyber threats. Worryingly, UNC4841 appears to constantly refine its arsenal, employing updated SaltWater and SeaSpy malware variants to facilitate these attacks. This adaptability signals a persistent and evolving threat.

The response to the incursion was swift, with Barracuda issuing crucial [updates](https://www.barracuda.com/support/knowledgebase/50160000000IFlx) on December 21 and 22, 2023, to patch the exposed chink in its armor. Despite these efforts, a lingering vulnerability, catalogued as CVE-2023-7101 in the same Spreadsheet:ParseExcel library, remains unresolved.

With a patch for CVE-2023-7101 still in the works, Barracuda has urged its ecosystem to embrace other [remediation measures](https://campus.barracuda.com/product/networkaccessclient/doc/93201552/what-s-new-in-barracuda-network-access-client-5-2/) and remain vigilant against any ancillary exploits. It is critical to acknowledge that UNC4841 has a history of deploying potent cyber tools, such as the Barracuda LUA modules, SandBar rootkit, and even earlier zero-days, dramatically exemplified by CVE-2023-2868.

Past forays by UNC4841 have blanketed a multitude of sectors over 16 countries, with a marked focus on the Americas. The continuous evolution of threat actors like UNC4841 illustrates an ominous trend: cyber adversaries are relentless in their pursuit to exploit vulnerabilities—and they are not confined by geographic borders.

In an environment where cyber incursions are as unpredictable as they are damaging, Mandiant warns that UNC4841 may broaden its sights, signifying that perpetual vigilance and prompt action are imperative to cyber safety. It’s more crucial than ever for organizations across the globe to strengthen their digital defenses and remain ahead of the curve in this ongoing cyber arms race.

If you enjoyed this article, please check out our other articles on CyberNow

December 30, 2023
UNC4841 has exploited a zero-day in Barracuda's ESG, affecting global information systems and raising serious cybersecurity concerns.